MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93e9f66877d4686da3806d8716035c2cce73d7b3c888a65c8fc51bcd5f94904b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93e9f66877d4686da3806d8716035c2cce73d7b3c888a65c8fc51bcd5f94904b
SHA3-384 hash: 93a9070fa7d59a6cc440f548919980b941324d6122e06ec0c5baaf1dfe4bce7c3f094a57ee9c094bab769fa0a3c319f2
SHA1 hash: 63bdc380bf50ac080d497528658adfab8f0c46e1
MD5 hash: 81c6a03bd51759f1e0d6f911f81b0296
humanhash: fanta-paris-india-mirror
File name:81c6a03bd51759f1e0d6f911f81b0296.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:838'144 bytes
First seen:2023-03-14 04:05:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:PIO8lpXU5ZkXX+6gD5kcSAhz4wVwg0IzxzAlSwO1GJ5qVdWZwgcGtbirN6/cf:P++6gD5knAhz4Q4Iziwo5qyZGGpicu
Threatray 20 similar samples on MalwareBazaar
TLSH T16A058E4083485F2CF6E0667D31683DC26F8168CCE9AEBBEF59A7D879B5D885507C6C02
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 70f0e6d4cca8f070 (15 x AgentTesla, 6 x SnakeKeylogger, 5 x Loki)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
193.42.32.107:40220

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
81c6a03bd51759f1e0d6f911f81b0296.exe
Verdict:
Malicious activity
Analysis date:
2023-03-14 04:07:35 UTC
Tags:
rat redline trojan stealer
Link:
https://app.any.run/tasks/9c06bd1b-ce35-4a1f-b437-89feee33c38e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374111/
Detection(s):
SecuriteInfo.com.Trojan.Siggen20.3796.20377.21087.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Sending an HTTP POST request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/640ff2ac56d2bc8d80b76219/reports/42e9f2e9-5667-4a63-9891-72bccf796771/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/93e9f66877d4686da3806d8716035c2cce73d7b3c888a65c8fc51bcd5f94904b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/561ec3ae-98f5-4c78-90c8-64f63ac75ee3
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1192996
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93e9f66877d4686da3806d8716035c2cce73d7b3c888a65c8fc51bcd5f94904b/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-03-13 08:27:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=spu7m2dx2rug3i4anwdrma24fthhhv5tzcekmxepyun42x4usbfq._file
Verdict:
malicious
Similar samples:
088c2f0914786aef4076d2c680c5d0c817696ada1f2f5a31b9e8250680f796bd
RedLineStealer
266ca870683a1298ffaebc57c82a67e460e9686077bfc8eae363f09be1fe3ae0
RedLineStealer
278e5ea9416fabd8821c86c7b242b9ced4a5345b79852177e2895acd5b560257
RedLineStealer
34295d7afd974fbf4786c737e60c28c8c1b8f2376465623e9ef49b7cedb26e71
RedLineStealer
47e1d89da75be7ba1e921b45eac47f7267511eab4eab244a4e74c75bf0f9276b
RedLineStealer
4e872ac4afe3e4abf1ad67441634b9102df1820ef0eac83282302f4c75930863
RedLineStealer
6373b3649500fd9ad4910c8cb4c4e892026b6ca2a890ae2f9ad5800091132bd4
RedLineStealer
7558016ac4ac085644fa7f85465e331a1764edbc8bcc5baa16779e5595d8d678
RedLineStealer
f2cb2f48de23111c8477b2883c21fd301c8522e6e1a84ead29a73ac3e1c1002e
RedLineStealer
+ 10 additional samples on MalwareBazaar
Result
Malware family:
sectoprat
Create hunting rule
Score:
  10/10
Tags:
family:redline family:sectoprat botnet:2023logz discovery infostealer rat spyware stealer trojan
Link:
https://tria.ge/reports/230314-en3wzafc8z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Malware Config
C2 Extraction:
193.42.32.107:40220
Unpacked files
SH256 hash:
e500556ed0ecaeeb6eb1a7cc0035a22bd847bd62157cb1c28cc60a9cb6bd7f4a
MD5 hash:
d7bc273b689f9b01031c613eb523df42
SHA1 hash:
bee648df9bc95e2aebefc3acf4e673ec2804889c
Link:
https://www.unpac.me/results/c677bcb9-1475-45eb-9c89-89384e0f84bf/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/c677bcb9-1475-45eb-9c89-89384e0f84bf/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
ea93c8ec66193edda689208170baee27f3377fe566571d9064aa4cdc182dd4d9
MD5 hash:
73b0cda69f400d2f6b1482b33908627f
SHA1 hash:
5c11bb8d8856cbae6ef20e8b8f604327ca2566cb
Link:
https://www.unpac.me/results/c677bcb9-1475-45eb-9c89-89384e0f84bf/
SH256 hash:
15122eaa25ac59b1781dba696453cb7c9c57e7f5d3dab4259e816c81ede8e436
MD5 hash:
68e5907b5a6f7cbe6b9557f5013a4865
SHA1 hash:
481d08c5a31e4b5b137e099e4f93fbb2158337b2
Link:
https://www.unpac.me/results/c677bcb9-1475-45eb-9c89-89384e0f84bf/
SH256 hash:
cb7f3c953d55f4e0bf188d3aa30559ac58cecf7ae544fc04aed6ac392f4ce1c7
MD5 hash:
3ab69e931504b75a9dcdf9a1b7125acb
SHA1 hash:
46a2f82dcede8bc4dd46ce20f19f2166f5ba9263
Link:
https://www.unpac.me/results/c677bcb9-1475-45eb-9c89-89384e0f84bf/
SH256 hash:
93e9f66877d4686da3806d8716035c2cce73d7b3c888a65c8fc51bcd5f94904b
MD5 hash:
81c6a03bd51759f1e0d6f911f81b0296
SHA1 hash:
63bdc380bf50ac080d497528658adfab8f0c46e1
Link:
https://www.unpac.me/results/c677bcb9-1475-45eb-9c89-89384e0f84bf/
Malware family:
RedLine
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/93e9f66877d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.57
Link:
https://yomi.yoroi.company/submissions/93e9f66877d4686da3806d8716035c2cce73d7b3c888a65c8fc51bcd5f94904b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 93e9f66877d4686da3806d8716035c2cce73d7b3c888a65c8fc51bcd5f94904b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2282012/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/374111/

Comments